In this phishing attack, the attacker impersonates Bendigo and Adelaide Bank, a prominent Australian financial institution, and uses a compromised account to send the target an urgent request to verify their phone number. The email claims the recipient must confirm their phone number as soon as possible using the embedded link to ensure they are the rightful account owner. Failure to do so, the message explains, may result in restricted access or temporary suspension of their account. To increase the appearance of authenticity, the threat actor incorporates “bendigo” into the username and sender display name of the email address and includes the imitated company’s logo and branding in the email body content. Should the target follow the instructions and click on the button labeled “Log in to your account”, they will be redirected to a phishing page designed to steal sensitive information, such as login credentials or payment details.

Older, legacy email security tools struggle to accurately identify this email as an attack because it uses a compromised email account, contains real links to Bendigo and Adelaide Bank, and employs social engineering tactics. Modern, AI-powered email security solutions detect anomalies in the content, recognize that the message is sent from an unknown sender, and flag the included link as suspicious to correctly mark this email as an attack.

Status Bar Dots
AI Bendigo and Adelaide Bank Impersonation Phishing Email E

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Compromised Legitimate Account: The attack is enabled by compromising a legitimate email account, making it difficult for legacy systems to detect it as malicious.
  • Familiar Domain Links: The email includes real links to Bendigo and Adelaide Bank's legitimate website, making the email appear more authentic and less likely to be flagged.
  • Social Engineering Tactic: The email employs urgent messaging about account verification, designed to prompt immediate action without careful consideration, thereby bypassing simple filters.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Anomalies: The urgent message about phone number verification and the potential for restricted access is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.
  • Unknown Sender Consideration: The email is identified as coming from an unknown sender who has never had communication with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
  • Link Analysis: The embedded link is scrutinized for its reputation and context, raising suspicion given its use in a potentially malicious setup.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account
Masked Phishing Link

Theme

Suspended Account
Account Verification

Impersonated Party

Brand

Impersonated Brands

Bendigo and Adelaide Bank

See How Abnormal Stops Emerging Attacks

See a Demo